Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Thursday, July 09, 2009

Safecount: Please opt us out of TACO

This afternoon, I received an interesting set of emails from Tom Kelly, the Chief Operating Officer at Safecount.

Hi Christopher -

A colleague forwarded us a link to your Taco download page where we were surprised to see Safecount listed with the likes of many ad networks.

While we, and I, find your development efforts to be interesting, and nicely in line with the entrepreneurial spirit of the web, some of the classifications on your page are quite mis-leading to consumers.

Safecount is a research company and we occasionally invite certain website visitors randomly to volunteer their opinions. We don't sell any products, we don't target anyone with advertising based on behavior or attitude, and we only work with publishers who give us permission to perform research on their sites.

After asking him if I could post his email to my blog, he followed up with this:

Sure thing, Chris. My point is that, while Safecount does place cookies on user's browsers based on certain ads they've seen:

A) we don't use that info to target any marketing or advertising to them - we're not a behavioral targeting groupB) we're 100% transparent in the cookies we do place

As a matter of fact, one can go to www.safcount.net and view ALL of the info we have for their computer (not personal info). There they can also delete that data and tell us how often they'd agree to be invited to take a quick survey, including "never". We're as much about control and transparency as I think you are.

Thanks, Chris.

- tom

It has been nearly four months since the first version of TACO was first released. The latest version supports 84 different behavioral advertising firms, has been downloaded nearly 250,000 times, and is in daily use by nearly 80,000 users. That means that my tool is responsible for 6.7 million opt-out cookies (actually, it's more, due to the fact that some networks require multiple cookies for different advertising domains). Holy cow!

In those four months, this is the first time that an advertising industry executive has asked me to remove his company's opt-out cookie from TACO, and so I am honestly not quite sure how to react.

My initial reaction is to say no, for the following reasons:

1. I have created TACO for fun, as a side project. I don't charge for TACO, and I have a day job (well, actually, several). I really don't have time to evaluate each advertising company one by one to figure out if the company engages in a good or bad activity. If consumers want that level of analysis, they are free to use the "complete" or "selective" opt-out tools provided by PrivacyChoice -- which is run by a former Yahoo! advertising executive who has Seen the Light, Loves Privacy And Who You Should Totally Trust (TM).

2. Picking individual advertising industry companies who should or should not be included in TACO is a slippery slope, which will open me up to criticism, and accusations of abuse of power. TACO currently includes every generic, non-identifiable opt-out http cookie of all the online advertising industry companies that I know about. This is an easy standard to adhere to, and should protect me from accusations of bias.

3. Safecount, WPP (the mega advertising firm which owns it), the Network Advertising Initiative and others are free to make their own competitors to TACO which provide users with more choice, which provide users with less choice, which make it more or less difficult to opt out, or which make you dinner and do your laundry. TACO is open source, so they are even free to fork my code, and save themselves the weekend of coding it will take to create it from scratch.

4. Safecount is an advertising industry firm, which uses long term cookies to track the browsing and other activities of end-users. The company might not be in the behavioral advertising business, but it is certainly in the collection of consumer data business, which is still creepy.

5. Safecount has provided consumers with the ability to opt-out of its data collection/use, but then objects when tools like TACO actually make it easy for consumers to opt-out. 99% of consumers have never heard of the company, and so wouldn't even know to visit their opt-out page in the first place.

6. If the company is really "as much about control and transparency" as I am, they could switch from an opt out model to an opt in model. Let consumers who value the survey taking experience choose to have data on their browsing across multiple websites collected and analyzed. If the company switched to this model, the opt-out mechanism provided by TACO would be moot.

7. Likewise, while consumers can "go to www.safcount.net and view ALL of the info we have for their computer (not personal info)," this simply isn't good enough. It is totally unrealistic to expect consumers to visit the websites of 90-100 different advertising firms to "view the data collected on them", evaluate it, consider each company's 20+ page privacy policy, and then evaluate the kind of business and data relationship that they'd like to have with that firm.

Consumers don't opt-out of telemarketing from individual advertising firms after evaluating each firm's policy on calling during dinner hours -- No. They sign up for a single do-not call list, and are then free of the annoyance. We need the same for the online advertising industry. A single opt out for all data collection and usage.

After writing this all down, I think I am even more convinced that leaving Safecount in the list of opt-outs provided by TACO is a good idea.

However, I suppose a reasonable case can be made that the company is not a behavioral advertising firm -- and so I am open to at least changing the language on the TACO page to note that Safecount is merely an advertising firm that collects detailed information on the browsing and web viewing activity of Internet users.

Blog readers -- do you have any thoughts on this? Please leave a comment.

9 comments:

If you want to get really fancy and go on a coding bender you could create a separate category you could put "research firms" in for future when they look kinda research-y and not advert-y and provide a checkbox somewhere... but only if you get really bored.

I second what djcapelis said: update your description of TACO and leave this on the list. If anyone wants to opt back in, we'll just have to find a way to do so.

Also, note that when I attempted to browse to the site at the hostname Mr. Kelly cited in his second message to you, I found that he misspelled it. That doesn't lend credibility to his cause. He didn't even bother to mention which page on his site would let people view data his company has stored about us.

From their site: "The only information stored in Safecount's cookie tells us whether or not a particular ad was displayed on your computer, the time and date that ad was delivered..."

Well, since they are ONLY storing data, that has been proven time and again to be able to identify people and their usage habits across the internet without their consent, I don;t see what the big deal is.

Hey All - this is Tom Kelly, the COO at Safecount. I actually think the feedback here has been fair. Our only request is that we're labeled differently than a behavioral targeting group on the TACO page. I did mention removing us from that page, but only insofar as to disassociate us from the BT world (not that we think poorly of them - just that we're different). And it seems that Chris has agree to that.

Providing the opt out function you do is perfectly cool - heck we do it ourselves.

Tom: Years ago the phone company (Bell Tel) tried to charge people to NOT list their number in the phone book. Isn't this the same thing? Like paying to NOT get The New York Times delivered, or to NOT get Religeous stations on cable? The entire industries "opt out" scheme is web page spam and nothing else. I will not knowingly buy from companies that use your service. How about a "CONTACT TOM" button on your website?

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.